Incorrect validation certificate for challenge


#1

So I was already using a certificate on my Ubuntu 15.10/Apache2 server but it expired. Having heard of Let’s Encrypt I decided to switch to it. Unfortunately, I am unable to make it work correclty.
Here is what I’ve done:

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
./certbot-auto --apache

It then installed a bunch of packages and asked me for certificate info : domain name and mail address.

End log :

No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter ‘c’ to cancel):vps158186.ovh.net
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for vps158186.ovh.net
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. vps158186.ovh.net (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 9306bd1878dbffb775d3327851226d25.8edab4427c0c87cedc80a1253933860d.acme.invalid from 176.31.167.47:443. Received 1 certificate(s), first certificate had names “vps158186.ovh.net

IMPORTANT NOTES:
 - The following errors were reported by the server:

Domain: vps158186.ovh.net
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
9306bd1878dbffb775d3327851226d25.8edab4427c0c87cedc80a1253933860d.acme.invalid
from 176.31.167.47:443. Received 1 certificate(s), first
certificate had names “vps158186.ovh.net

Full log is avaible at https://pastebin.com/LN4f9sJF


Incorrect validation certificate for tls-sni-01 challenge again and again
#2

I am getting the exact same thing on my website
www.dailyhosting.net iam trying to get the ssl to work. Thank you for any help.


Issue with renew, apache, multiple virtual hosts, and inactive ones
#3

Quoting some documentation that I’m in the process of writing:

  • Offering a specified certificate on a web site

This method is called the TLS-SNI-01 challenge. In this challenge, the certificate authority will expect a specified digital certificate to be provided by the web server in response to an HTTPS request using a particular made-up domain name. The request will be made using HTTPS on TCP port 443. You cannot choose a different port number.

This certificate is a self-signed certificate created by Certbot. You use it only temporarily to prove your control over a domain name. It’s not the same as the certificate for your site that will later be issued by Let’s Encrypt once you’ve proven that you control the site.

Common problems with the TLS-SNI-01 challenge:

  • You aren’t running Certbot on your web server

    Most people should install and run Certbot on their web server hosting their website, not on their laptops or some other computer. While you can use Certbot in manual mode on a laptop and then separately set up the appropriate files on your webserver, it’s not likely to be the most convenient way to get a certificate for most users.

  • A domain name you’re requesting a certificate for isn’t correctly pointed at that web server

    In most cases, every name you’re requesting a certificate for should already exist and be pointed to the server where you’re requesting that certificate. (Some alternatives exist for complex network configurations, but they’re the exception rather than the rule.)

  • You’re using a content delivery network (CDN)

    TLS-SNI-01 doesn’t work with CDNs (like CloudFlare and Akamai). You have to use a different challenge type. (This is a special case of the previous problem: the domain name is pointed at the CDN, not directly at your server.)

  • A firewall is blocking access to port 443

    The certificate authority needs to be able to connect to port 443 of your server in order to confirm that you satisfied the TLS-SNI-01 challenge. So that needs to be publicly reachable from the Internet, and not blocked by a router or firewall.

  • (With apache plugin)

    Certbot thinks you’re running Apache, but you aren’t running it, or you’re running a different server of some kind on port 443

  • (With apache plugin)

You have more than one virtualhost defined within a single configuration file in /etc/apache2/sites-available (which confuses Certbot; this is a bug which will be fixed in a forthcoming release)

  • (With nginx plugin)

    Certbot thinks you’re running nginx, but you aren’t running it, or you’re running a different server of some kind on port 443

  • (With apache or nginx plugin)

    Certbot doesn’t know how to modify your web server configuration correctly

  • (With standalone plugin)

    You tried to use --standalone when there was already some other program on your server listening to port 443

  • Your DNS records aren’t valid

    Try checking your DNS records with a tool like the DNSchecker at http://www.dnsstuff.com/ to make sure there are no serious errors. Sometimes a DNS error still allows your site to load in a web browser, but prevents the certificate authority from issuing a certificate.


Certbot run - Incorrect validation certificate for tls-sni-01 challenge
My site uses Apache. Auth failed 3 or 4 times. Now I'm rate limited. Please help!
Why letsencrypt takes my NS name?
Certbot - Running Certbot on a Machine that is Not the Web Server Means Challenges Fail
#4

I ruled out the following issues :
#1. You aren’t running Certbot on your web server
I’m running it on my server through an SSH connection
#2. A domain name you’re requesting a certificate for isn’t correctly pointed at that web server
I can access my server through port 443, but since there’s no index file, it returns a 403 error.
#3. You’re using a content delivery network (CDN)
My server is a Virtual Private Server, not sure if it is considered as a CDN.
#4. A firewall is blocking access to port 443
See #2.
Certbot thinks you’re running Apache, but you aren’t running it, or you’re running a different server of some kind on port 443
Nginx is not installed, plus see #2.

What I think might be the issue :
You have more than one virtualhost defined within a single configuration file in /etc/apache2/sites-available (which confuses Certbot; this is a bug which will be fixed in a forthcoming release)
I do have two VirtualHost entries in the same configuration file because of an app running on my server. I have absolutely no clue if this can be done in separate files (I don’t know much about how to configure webservers).


#5

This is probably the problem. You could wait for a forthcoming release that will fix the bug in Certbot that gets confused by this situation, or split these into two configuration files, or use a different authentication method (for example --webroot if you have a server speaking HTTP on port 80).


#6

As I don’t know how to split my configuration file, I guess I’ll have to wait for a fix.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.